SONARJAVA-4832 Implement S6881

VirtualThreads should be used for tasks that include heavy blocking operations.

Author: johann-beleites-sonarsource

its/autoscan/src/test/resources/autoscan/diffs/diff_S6881.json

@@ -0,0 +1,6 @@
+{
+  "ruleKey": "S6881",
+  "hasTruePositives": true,
+  "falseNegatives": 0,
+  "falsePositives": 0
+}

java-checks-test-sources/default/src/main/java/checks/BlockingOperationsInVirtualThreadsCheckSample.java

@@ -0,0 +1,144 @@
+package checks;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+public class BlockingOperationsInVirtualThreadsCheckSample {
+  HttpURLConnection con = (java.net.HttpURLConnection) new java.net.URL("http://localhost:64738").openConnection();
+
+  public BlockingOperationsInVirtualThreadsCheckSample() throws IOException {
+  }
+
+  void newThread() throws IOException {
+
+    new Thread(() -> {
+      try {
+        con.getResponseMessage(); // Noncompliant [[sc=13;ec=31;secondary=-2]] {{Use virtual threads for heavy blocking operations.}}
+        con.getResponseCode(); // Noncompliant
+        con.disconnect(); // Compliant
+        con.getInputStream(); // Compliant
+        con.getRequestMethod(); // Compliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+
+    Thread.ofPlatform().start(() -> {
+      try {
+        con.getResponseMessage(); // Noncompliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+
+    Thread.ofPlatform().unstarted(() -> {
+      try {
+        con.getResponseMessage(); // Noncompliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+
+    try {
+      con.getResponseMessage(); // Compliant - not in a thread
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+
+    new Thread(new Runnable() {
+      @Override
+      public void run() {
+        try {
+          con.getResponseMessage(); // Noncompliant
+        } catch (IOException e) {
+          throw new RuntimeException(e);
+        }
+      }
+    });
+
+    new Thread() {
+      @Override
+      public void run() {
+        try {
+          con.getResponseMessage(); // Noncompliant
+        } catch (IOException e) {
+          throw new RuntimeException(e);
+        }
+      }
+    };
+  }
+
+  void executor() {
+    ExecutorService executor = Executors.newFixedThreadPool(100);
+    executor.execute(() -> {
+      try {
+        con.getResponseMessage(); // Compliant FN - we don't support ExecutorService, as it is hard to determine if it uses virtual threads without data flow analysis
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+  }
+
+  private class NoncompliantThread extends Thread {
+    @Override
+    public void run() {
+      try {
+        con.getResponseMessage(); // Noncompliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  private class CompliantRunnable implements Runnable {
+    @Override
+    public void run() {
+      try {
+        con.getResponseMessage(); // Compliant - not a thread
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  void otherBlockingOperations() {
+    new Thread(() -> {
+      try {
+        Thread.sleep(1000); // Noncompliant
+      } catch (InterruptedException e) {
+        throw new RuntimeException(e);
+      }
+    });
+  }
+
+  void compliantVirtualThreads() {
+
+    Thread.ofVirtual().start(() -> {
+      try {
+        con.getResponseMessage(); // Compliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+
+    Thread.startVirtualThread(() -> {
+      try {
+        con.getResponseMessage(); // Compliant
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    });
+
+    try (ExecutorService myExecutor = Executors.newVirtualThreadPerTaskExecutor()) {
+      myExecutor.execute(() -> {
+        try {
+          con.getResponseMessage(); // Compliant
+        } catch (IOException e) {
+          throw new RuntimeException(e);
+        }
+      });
+    }
+  }
+}

java-checks/src/main/java/org/sonar/java/checks/BlockingOperationsInVirtualThreadsCheck.java

@@ -0,0 +1,144 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.java.checks;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.sonar.check.Rule;
+import org.sonar.java.model.ExpressionUtils;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.JavaFileScannerContext;
+import org.sonar.plugins.java.api.JavaVersion;
+import org.sonar.plugins.java.api.JavaVersionAwareVisitor;
+import org.sonar.plugins.java.api.semantic.MethodMatchers;
+import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.java.api.tree.MethodInvocationTree;
+import org.sonar.plugins.java.api.tree.MethodTree;
+import org.sonar.plugins.java.api.tree.NewClassTree;
+import org.sonar.plugins.java.api.tree.Tree;
+
+@Rule(key = "S6881")
+public class BlockingOperationsInVirtualThreadsCheck extends IssuableSubscriptionVisitor implements JavaVersionAwareVisitor {
+
+  /*
+   * #### Disclaimers ####
+   *
+   * This rule would benefit from a call graph analysis to determine which blocking operations are executed in a thread. For proper
+   * reporting, it would be important to report issues with a flow, clearly showing the path from the blocking operation to the thread
+   * creation. While we already have tools to find reachable methods (see TreeHelper#findReachableMethodsInSameFile), they do not provide
+   * the necessary information to build a flow and hence a report would be quite confusing. For now, the rule is limited to only very basic
+   * cases.
+   *
+   * On the other hand, this rule may falsely trigger on some cases where the blocking operation is not executed in the thread, but e.g.
+   * returned within a lambda or object to be executed later. I.e. a thread creating a runnable for later execution.
+   */
+
+  private static final String JAVA_LANG_THREAD = "java.lang.Thread";
+
+  @Override
+  public List<Tree.Kind> nodesToVisit() {
+    return List.of(Tree.Kind.NEW_CLASS, Tree.Kind.METHOD_INVOCATION, Tree.Kind.METHOD);
+  }
+
+  @Override
+  public boolean isCompatibleWithJavaVersion(JavaVersion version) {
+    return version.isJava21Compatible();
+  }
+
+  // This rule currently only supports a limited set of blocking operations, focused on core Java HTTP requests.
+  private static final MethodMatchers blockingOperations = MethodMatchers.or(
+    MethodMatchers.create()
+      .ofTypes("java.net.URLConnection", "java.net.HttpURLConnection")
+      .names("getResponseCode", "getResponseMessage")
+      .withAnyParameters()
+      .build(),
+    MethodMatchers.create()
+      .ofTypes(JAVA_LANG_THREAD)
+      .names("sleep")
+      .addParametersMatcher("long")
+      .build());
+
+  private static final MethodMatchers threadCreationConstructors = MethodMatchers.create()
+    .ofSubTypes(JAVA_LANG_THREAD)
+    .constructor()
+    .addParametersMatcher("java.lang.Runnable")
+    .build();
+
+  private static final MethodMatchers platformThreadMethods = MethodMatchers.create()
+    .ofTypes(JAVA_LANG_THREAD + "$Builder$OfPlatform")
+    .names("start", "unstarted")
+    .addParametersMatcher("java.lang.Runnable")
+    .build();
+
+  // For cases where a method is overwritten to define a thread's behavior (instead of e.g. passing a lambda to a Thread's constructor).
+  private static final MethodMatchers overwritableThreadMethods = MethodMatchers.create()
+    .ofSubTypes(JAVA_LANG_THREAD)
+    .names("run")
+    .addWithoutParametersMatcher()
+    .build();
+
+  @Override
+  public void visitNode(Tree tree) {
+    switch (tree.kind()) {
+      case NEW_CLASS -> onConstructorFound((NewClassTree) tree);
+      case METHOD_INVOCATION -> onMethodInvocationFound((MethodInvocationTree) tree);
+      case METHOD -> onMethodFound((MethodTree) tree);
+    }
+  }
+
+  private void onConstructorFound(NewClassTree newClassTree) {
+    if (threadCreationConstructors.matches(newClassTree)) {
+      analyzeForIssues(newClassTree.arguments().get(0), newClassTree.identifier());
+    }
+  }
+
+  private void onMethodInvocationFound(MethodInvocationTree mit) {
+    if (platformThreadMethods.matches(mit)) {
+      analyzeForIssues(mit.arguments().get(0), mit.methodSelect());
+    }
+  }
+
+  private void onMethodFound(MethodTree tree) {
+    if (overwritableThreadMethods.matches(tree)) {
+      analyzeForIssues(tree, tree.simpleName());
+    }
+  }
+
+  private void analyzeForIssues(Tree tree, Tree secondary) {
+    var finder = new BlockingOperationFinder();
+    tree.accept(finder);
+    finder.collectedBlockingOperations.forEach(mit -> reportIssue(
+      ExpressionUtils.methodName(mit),
+      "Use virtual threads for heavy blocking operations.",
+      List.of(new JavaFileScannerContext.Location("Containing thread", secondary)),
+      null));
+  }
+
+  private static class BlockingOperationFinder extends BaseTreeVisitor {
+    final List<MethodInvocationTree> collectedBlockingOperations = new ArrayList<>();
+
+    @Override
+    public void visitMethodInvocation(MethodInvocationTree mit) {
+      if (blockingOperations.matches(mit)) {
+        collectedBlockingOperations.add(mit);
+      }
+    }
+  }
+}

java-checks/src/test/java/org/sonar/java/checks/BlockingOperationsInVirtualThreadsCheckTest.java

@@ -0,0 +1,45 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.java.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+import org.sonar.java.checks.verifier.TestUtils;
+
+class BlockingOperationsInVirtualThreadsCheckTest {
+
+  @Test
+  void test() {
+    CheckVerifier.newVerifier()
+      .onFile(TestUtils.mainCodeSourcesPath("checks/BlockingOperationsInVirtualThreadsCheckSample.java"))
+      .withCheck(new BlockingOperationsInVirtualThreadsCheck())
+      .withJavaVersion(21)
+      .verifyIssues();
+  }
+
+  @Test
+  void test_no_issues_below_java_21() {
+    CheckVerifier.newVerifier()
+      .onFile(TestUtils.mainCodeSourcesPath("checks/BlockingOperationsInVirtualThreadsCheckSample.java"))
+      .withCheck(new BlockingOperationsInVirtualThreadsCheck())
+      .withJavaVersion(20)
+      .verifyNoIssues();
+  }
+}

sonar-java-plugin/src/main/java/org/sonar/plugins/java/CheckList.java

@@ -48,6 +48,7 @@
 import org.sonar.java.checks.BasicAuthCheck;
 import org.sonar.java.checks.BatchSQLStatementsCheck;
 import org.sonar.java.checks.BigDecimalDoubleConstructorCheck;
+import org.sonar.java.checks.BlockingOperationsInVirtualThreadsCheck;
 import org.sonar.java.checks.BluetoothLowPowerModeCheck;
 import org.sonar.java.checks.BooleanInversionCheck;
 import org.sonar.java.checks.BooleanLiteralCheck;
@@ -762,6 +763,7 @@ public final class CheckList {
     BigDecimalDoubleConstructorCheck.class,
     AndroidBiometricAuthWithoutCryptoCheck.class,
     BlindSerialVersionUidCheck.class,
+    BlockingOperationsInVirtualThreadsCheck.class,
     BluetoothLowPowerModeCheck.class,
     BooleanInversionCheck.class,
     BooleanLiteralCheck.class,